Re: Tracking SirCam

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Wed Jul 25 2001 - 15:58:42 PDT

  • Next message: L. Christopher Paul: "Correction: Re: tcpdump traces of CodeRed (lab environment)"

    woodsat_private (Greg A. Woods) wrote:
    
    >   From an SMTP point of view the headers are part of the body.  The
    > savings over filtering just the headers, vs. filtering up to at least
    > the the second MIME part in this case, is virtually nonexistant on any
    > kind of modern hardware.
    
    Indeed...
    
    > (BTW, I seriously doubt any of the so-called experts who have been
    > commenting on the relative impact this worm compared to others before it
    > -- so far it's by and far the worst I've ever seen, either in my own
    > inbox, or in the way it's affected mail servers, particularly at ISPs.
    
    The magnitude of the ISP effect is probably due to two things...
    
    First, as Greg mentioned, the virus's size is above most previous
    (and all "successful??) mass mailers.  The virus itself is approx
    135KB then it concatenates a DOC, XLS, ZIP (or JPG (?) found in the
    "My Documents" directory) to itself.  The smallest field sample I've
    seen so far is just over 200KB.
    
    Second, most corporate sites are relatively unaffected by this.  The 
    smart ones have (eventually) resorted to whitelist attachment 
    file-type filtering and many of the rest have been lucky enough that 
    their scanner has not needed updating to scan .LNK files...  This 
    means that the bulk of the effect will be borne by ISPs *and* they 
    tend to use "store and forward" (POP) or straight store (IMAP) mail 
    systems for their clientele.  Their clientele may also tend to be 
    more lax about checking/clearing their Email *and* its probably a 
    fair bet that the "dead-account" ratio is much higher on your typical 
    ISP/free Email service provider than your typical corporate network.
    
    
    -- 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 09:04:44 PDT